
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta name="Description" content="Webmin, Usermin, Virtualmin, Cloudmin, Linux, System Administration" />
<meta name="Keywords" content="Webmin Usermin Virtualmin Cloudmin Linux System Administration" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8.69-1" />
<meta name="Robots" content="index,follow" />

<link rel="stylesheet" href="images/Refresh.css" type="text/css" />

<title>Webmin</title>
	
</head>

<body>
<!-- wrap starts here -->
<div id="wrap">
		
		<!--header -->
		<div id="header">			
				
			<!-- <h1 id="logo-text">Webmin</h1>		
			<h2 id="slogan">Web-based system administration</h2>-->
				
			<form class="search" method="get" action="http://www.google.com/search">
				<p>
	  			<input class="textbox" type="text" name="q" value="" />
				<input type=hidden name=num value=20>
				<input type=hidden name=as_sitesearch value=www.webmin.com>
	 			<input class="button" type="submit" name="Submit" value="Search" />
				</p>
			</form>			
				
		</div>
		
		<!-- menu -->	
		<div  id="menu">
			<ul>
				<li id="current"><a href="index.html">Home</a></li>
				<li ><a href="download.html">Downloads</a></li>
				<li ><a href="docs.html">Documentation</a></li>
				<li ><a href="usermin.html">Usermin</a></li>
				<li ><a href="virtualmin.html">Virtualmin</a></li>
				<li ><a href="cloudmin.html">Cloudmin</a></li>
				<li ><a href="community.html">Community</a></li>		
<!--
				<li ><a href="mirrors.html">Mirrors</a></li>		
-->
			</ul>
		</div>					
			
		<!-- content-wrap starts here -->
		<div id="content-wrap">
				
			<div id="sidebar">
					
				
				<h1>Download Webmin 1.983</h1>
				<div class="left-box">
					<ul class="sidemenu">				
					<li><a href="http://prdownloads.sourceforge.net/webadmin/webmin-1.983-1.noarch.rpm">RPM</a></li>
					<li><a href="http://prdownloads.sourceforge.net/webadmin/webmin_1.983_all.deb">Debian Package</a></li>
					<li><a href="http://prdownloads.sourceforge.net/webadmin/webmin-1.983.tar.gz">TAR file</a></li>
					<li><a href="http://prdownloads.sourceforge.net/webadmin/webmin-1.983.pkg.gz">Solaris Package</a></li>
					<li><a href=devel.html>Development Versions</a>
					<li><a href=third.html>Third-Party Modules</a>
					</ul>	
				</div>
				

				
				<h1>Webmin Links</h1>
				<div class="left-box">
					<ul class="sidemenu">
					<li><a href=intro.html>Introduction To Webmin</a></li>
					<li><a href=support.html>Supported Systems</a></li>
					<li><a href=http://doxfer.webmin.com/Webmin/Modules>Module Documentation</a></li>
					<li><a href=demo.html>Screenshots</a></li>
					<li><a href=standard.html>Standard Modules</a></li>
					<li><a href=lang.html>Supported Languages</a></li>
					<li><a href=updates.html>Updated Modules</a></li>
					<li><a href=changes.html>Change Log</a></li>
					<li><a href=about.html>About the Author</a></li>
					<li><a href=security.html><i>Security Alerts</i></a></li>
				        <li><a href=http://github.com/webmin/webmin/commits/master>Recent Changes in Git</a></li>
  					</ul>	
				</div>
				
				
				
				
				
				
				
			
				<div class="left-box">
					<a href=http://www.virtualmin.com/><img src=images/virtualmin-ad2.png border=0></a>
				</div>	

				<h1>Other Sites</h1>
				<div class="left-box">
					<ul class="sidemenu">
					<li><a href=http://www.virtualmin.com/>Virtualmin Pro</a></li>
					<li><a href=partners.html>Webmin Supporters</a></li>
					<li><a href=http://www.styleshout.com/>StyleShout</a></li>
  					</ul>	

					<div align=center>
					<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script><fb:like-box href="http://www.facebook.com/pages/Webmin/115912965151333" width="200" show_faces="false" stream="false" header="false"></fb:like-box>
					<a href="http://sourceforge.net/projects/webadmin"><img src="http://sourceforge.net/sflogo.php?group_id=17457" width="88" height="31" border="0" alt="SourceForge Logo"></a><br>
					<!-- MIRROR LOGO -->
					</div>
				</div>
				
			</div>
				
			<div id="main">
		


<h1>Webmin 1.890 Exploit - What Happened?</h1>

<p>
Webmin version 1.890 was released with a backdoor that could allow anyone with
knowledge of it to execute commands as <tt>root</tt>. Versions 1.900 to 1.920
also contained a backdoor using similar code, but it was not exploitable in
a default Webmin install. Only if the admin had enabled the feature at
Webmin -> Webmin Configuration -> Authentication to allow changing of expired
passwords could it be used by an attacker.
</p>

<p>
Neither of these were accidental bugs - rather, the Webmin source code had
been maliciously modified to add a non-obvious vulnerability. It appears that
this happened as follows :
</p>

<ul>
<li>At some time in April 2018, the Webmin development build server was
    exploited and a vulnerability added to the <tt>password_change.cgi</tt>
    script. Because the timestamp on the file was set back, it did not show
    up in any Git diffs. This was included in the Webmin 1.890 release. <p></p>

<li>The vulnerable file was reverted to the checked-in version from Github, but
    sometime in July 2018 the file was modified again by the attacker. However,
    this time the exploit was added to code that is only executed if changing
    of expired passwords is enabled. This was included in the Webmin 1.900
    release. <p></p>

<li>On September 10th 2018, the vulnerable build server was decomissioned and
    replaced with a newly installed server running CentOS 7. However, the build
    directory containing the modified file was copied across from backups made
    on the original server. <p></p>

<li>On August 17th 2019, we were informed that a 0-day exploit that made use
    of the vulnerability had been released. In response, the exploit code was
    removed and Webmin version 1.930 created and released to all users. <p></p>
</ul>

<p>
In order to prevent similar attacks in future, we're doing the following :
</p>

<ul>
<li>Updating the build process to use only checked-in code from Github, rather
    than a local directory that is kept in sync. <p></p>

<li>Rotated all passwords and keys accessible from the old build system.<p></p>

<li>Auditing all Github checkins over the past year to look for commits that
    may have introduced similar vulnerabilities.<p></p>
</ul>
    
</ul>

			</div>
		<!-- content-wrap ends here -->	
		</div>
					
		<!--footer starts here-->
		<div id="footer">
			
			<p>
			&copy; 2006-2016 <strong>Webmin</strong> | 
			Design by: <a href="http://www.styleshout.com/">styleshout</a>
			
   		&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
			
			<a href="index.html">Home</a>&nbsp;|&nbsp;
	<!--
   		<a href="sitemap.html">Sitemap</a>&nbsp;|&nbsp;
	-->
   		</p>
		
		</div>	

<!-- wrap ends here -->
</div>

<!-- Google Analytics -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-503706-1";
urchinTracker();
</script>

</body>
</html>

